Results 1  10
of
113
Module Checking
, 1996
"... . In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of ..."
Abstract

Cited by 79 (11 self)
 Add to MetaCart
. In computer system design, we distinguish between closed and open systems. A closed system is a system whose behavior is completely determined by the state of the system. An open system is a system that interacts with its environment and whose behavior depends on this interaction. The ability of temporal logics to describe an ongoing interaction of a reactive program with its environment makes them particularly appropriate for the specification of open systems. Nevertheless, modelchecking algorithms used for the verification of closed systems are not appropriate for the verification of open systems. Correct model checking of open systems should check the system with respect to arbitrary environments and should take into account uncertainty regarding the environment. This is not the case with current modelchecking algorithms and tools. In this paper we introduce and examine the problem of model checking of open systems (mod ule checking, for short). We show that while module che...
Generalized Model Checking: Reasoning about Partial State Spaces
, 2000
"... We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the modelchecking problem for any 3valued temporal logic can be reduced to two modelchec ..."
Abstract

Cited by 74 (6 self)
 Add to MetaCart
We discuss the problem of model checking temporal properties on partial Kripke structures, which were used in [BG99] to represent incomplete state spaces. We first extend the results of [BG99] by showing that the modelchecking problem for any 3valued temporal logic can be reduced to two modelchecking problems for the corresponding 2valued temporal logic. We then introduce a new semantics for 3valued temporal logics that can give more definite answers than the previous one. With this semantics, the evaluation of a formula OE on a partial Kripke structure M returns the third truth value? (read "unknown") only if there exist Kripke structures M1 and M2 that both complete M and such that M1 satisfies OE while M2 violates OE, hence making the value of OE on M truly unknown. The partial Kripke structure M can thus be viewed as a partial solution to the satisfiability problem which reduces the solution space to complete Kripke structures that are more complete than M wit...
MultiValued Symbolic ModelChecking
 ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY
, 2003
"... This paper introduces the concept and the general theory of multivalued model checking, and describes a multivalued symbolic modelchecker \Chi Chek. Multivalued ..."
Abstract

Cited by 50 (16 self)
 Add to MetaCart
This paper introduces the concept and the general theory of multivalued model checking, and describes a multivalued symbolic modelchecker \Chi Chek. Multivalued
Merging Partial Behavioural Models
 In Proceedings of 12th ACM SIGSOFT International Symposium on Foundations of Software Engineering
, 2004
"... Constructing comprehensive operational models of intended system behaviour is a complex and costly task. Consequently, practitioners have adopted techniques that support incremental elaboration of partial behaviour descriptions. A noteworthy example is the wide adoption of scenariobased notations s ..."
Abstract

Cited by 46 (26 self)
 Add to MetaCart
Constructing comprehensive operational models of intended system behaviour is a complex and costly task. Consequently, practitioners have adopted techniques that support incremental elaboration of partial behaviour descriptions. A noteworthy example is the wide adoption of scenariobased notations such as message sequence charts. Scenariobased specifications are partial descriptions that can be incrementally elaborated to cover the system behaviour that is of interest. However, how should partial behavioural models described by different stakeholders with different viewpoints covering different aspects of behaviour be composed? How should partial models of component instances of the same type be put together? In this paper, we propose model merging as a general solution to these questions. We formally define model merging based on observational refinement and show that merging consistent models is a process that should result in a minimal common refinement. Because minimal common refinements are not guaranteed to be unique, we argue that the modeller should participate in the process of elaborating such a model. We also discuss the role of the least common refinement and the greatest lower bound of all minimal common refinements in this elaboration process. In addition, we provide algorithms for i) checking consistency between two models; ii) constructing their least common refinement if one exists; iii) supporting the construction of a minimal common refinement if there is no least common refinement.
A Constraint Oriented Proof Methodology Based on Modal Transition Systems
 In BRICS Notes
, 1995
"... In this paper, we present a constraintoriented statebased proof methodology for concurrent software systems which exploits compositionality and abstraction for the reduction of the verification problem under investigation. Formal basis for this methodology are Modal Transition Systems allowing loo ..."
Abstract

Cited by 44 (7 self)
 Add to MetaCart
In this paper, we present a constraintoriented statebased proof methodology for concurrent software systems which exploits compositionality and abstraction for the reduction of the verification problem under investigation. Formal basis for this methodology are Modal Transition Systems allowing loose statebased specifications, which can be refined by successively adding constraints. Key concepts of our method are projective views, separation of proof obligations, Skolemization and abstraction. The method is even applicable to real time systems. 1 Introduction The use of formal methods and in particular formal verification of concurrent systems, interactive or fully automatic, is still limited to very specific problem classes. For statebased methods this is mainly due to the state explosion problem: the state graph of a concurrent systems grows exponentially with the number of its parallel components, leading to an unmanageable size for most practically relevant systems. Consequentl...
Monotonic abstractionrefinement for CTL
 In TACAS
, 2004
"... Abstract. The goal of this work is to improve the efficiency and effectiveness of the abstractionrefinement framework for CTL over the 3valued semantics. We start by proposing a symbolic (BDDbased) approach for this framework. Next, we generalize the definition of abstract models in order to prov ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Abstract. The goal of this work is to improve the efficiency and effectiveness of the abstractionrefinement framework for CTL over the 3valued semantics. We start by proposing a symbolic (BDDbased) approach for this framework. Next, we generalize the definition of abstract models in order to provide a monotonic abstractionrefinement framework. To do so, we introduce the notion of hypertransitions. model in which more CTL formulae can be proved or disproved. We suggest an automatic construction of an initial abstract model and its successive refined models. We complete the framework by adjusting the BDDbased approach to the new monotonic framework. Thus, we obtain a monotonic, symbolic framework that is suitable for both verification and falsification of full CTL. 1
Timed Modal Specification  Theory and Tools
 IN PROC. OF THE 5TH INT. CONF. ON COMPUTER AIDED VERIFICATION, VOLUME 697 OF LECTURE NOTES IN COMPUTER SCIENCE (LNCS
, 1997
"... ..."
The Use of Static Constructs in A Modal Process Logic
, 1989
"... this paper we want to demonstrate that  from a practical ..."
Abstract

Cited by 24 (12 self)
 Add to MetaCart
this paper we want to demonstrate that  from a practical
A gamebased framework for CTL counterexamples and 3valued abstractionrefinement
 In Computer Aided Verification (CAV), LNCS 2725
, 2003
"... Abstract. This work exploits and extends the gamebased framework of CTL model checking for counterexample and incremental abstractionrefinement. We define a gamebased CTL model checking for abstract models over the 3valued semantics, which can be used for verification as well as refutation. The ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
Abstract. This work exploits and extends the gamebased framework of CTL model checking for counterexample and incremental abstractionrefinement. We define a gamebased CTL model checking for abstract models over the 3valued semantics, which can be used for verification as well as refutation. The model checking may end with an indefinite result, in which case we suggest a new notion of refinement, which eliminates indefinite results of the model checking. This provides an iterative abstractionrefinement framework. It is enhanced by an incremental algorithm, where refinement is applied only where indefinite results exist and definite results from prior iterations are used within the model checking algorithm. We also define the notion of annotated counterexamples, which are sufficient and minimal counterexamples for full CTL. We present an algorithm that uses the game board of the model checking game to derive an annotated counterexample in case the examined system model refutes the checked formula. 1
Abstraction for falsification
 In Proceedings of Computer Aided Verification (CAV 2005), volume 3576 of LNCS
, 2005
"... Abstract. Abstraction is traditionally used in the process of verification. There, an abstraction of a concrete system is sound if properties of the abstract system also hold in the concrete system. Specifically, if an abstract state a satisfies a property ψ then all the concrete states that corresp ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Abstract. Abstraction is traditionally used in the process of verification. There, an abstraction of a concrete system is sound if properties of the abstract system also hold in the concrete system. Specifically, if an abstract state a satisfies a property ψ then all the concrete states that correspond to a satisfy ψ too. Since the ideal goal of proving a system correct involves many obstacles, the primary use of formal methods nowadays is falsification. There, as in testing, the goal is to detect errors, rather than to prove correctness. In the falsification setting, we can say that an abstraction is sound if errors of the abstract system exist also in the concrete system. Specifically, if an abstract state a violates a property ψ, then there exists a concrete state that corresponds to a and violates ψ too. An abstraction that is sound for falsification need not be sound for verification. This suggests that existing frameworks for abstraction for verification may be too restrictive when used for falsification, and that a new framework is needed in order to take advantage of the weaker definition of soundness in the falsification setting. We present such a framework, show that it is indeed stronger (than other abstraction frameworks designed for verification), demonstrate that it can be made even stronger by parameterizing its transitions by predicates, and describe how it can be used for falsification of branchingtime and lineartime temporal properties, as well as for generating testing goals for a concrete system by reasoning about its abstraction. 1